For years, we’ve been touting the virtues of KeePass Password Safe, a free open-source program for storing all your website passwords and associated notes behind a single master password. And to synch KeePass across multiple machines, we’ve been recommending that readers store the encrypted database on Dropbox. However, we got to wondering whether the popular browser-based password manager LastPass was a superior, one-stop solution. So this month, we invited the two free password trappers to duke it out for bragging rights.
The CAPTCHA is a wonderful thing, but it’s not without its failings. And as hackers get better and better at cracking them, a team of CMU engineers are proposing an alternative: Inkblot tests.
A new privacy fuss is kicking off around Google’s Android mobile OS, with security boffins claiming that the software’s backup tools mean that a copy of everyone’s Wi-Fi password history is now saved to Google’s servers. Which may mean it could be legally compelled to hand them out, should a government come calling.
Passwords could be passé if this Toronto-based startup has its way. Bionym, which was founded in 2011 and closed a $1.4 million (CAD) seed round last month, has devised a biometric recognition system in the form of a wearable wristband — called Nymi, just launched as a pre-order for $79 for early 2014 shipping.
The wristband relies on authenticating identity by matching the overall shape of the user’s heartwave (captured via an electrocardiogram sensor). Unlike other biotech authentication methods — like fingerprint scanning and iris-/facial-recognition tech — the system doesn’t require the user to authenticate every time they want to unlock something. Because it’s a wearable device, the system sustains authentication so long as the wearer keeps the wristband on.
To authenticate via Nymi, the user puts the wristband on and touches a topside sensor with one hand to complete an electrical loop with the bottom-side sensor touching their wrist. That generates the ECG data used to authenticate their identity, and the wristband transmits the ECG (via Bluetooth) to the corresponding registered app, on a smartphone or other device in proximity to the user, to verify the wearer is who they say they are.
Bionym says Nymi is a three-factor security system, being as multiple pieces have to be in place for authentication to be achieved. However the system skips some ongoing hassle of multi-factor systems by maintaining an authenticated state and only requiring the user to offer up their biometric data once per day (or however often they remove the wristband).
As well as an ECG sensor and Bluetooth low energy for transmitting data, the wristband contains a gyroscope and accelerometer so it can support gesture unlocking scenarios, too (it has 6-axis motion sensing) — so you could use a particular wrist twist to unlock a car door, for instance. That sort of scenario will depend mostly on third party developers getting involved and building out an app ecosystem around the device. Bionym is releasing an API that will be open source so it’s hoping to attract broad interest.
Proximity is another parameter developers could build into unlocking scenarios — a payments application would make sense to require the wristband to be in close proximity to a reader to confirm a transaction, for instance, whereas a smart TV might want to configure a profile to a particular user when they walk into the room.
The wristband device itself could also be used for health/activity tracking, saysCEO and co-founder Karl Martin. “We will support basic gestures ourselves, and we will also give access to the motion information for other uses. For example, people might want to use it for activity tracking, in addition to the gestures,” he tells TechCrunch.
The Nymi device will include a battery to power the data capture and transfers — which Martin said will support about a week’s use between charges. The corresponding Nymi app will let users create custom notifications if they so desire, so they could configure the app to alert them to new emails or messages when they authenticate the device in the morning. The app will be available on iOS, Android, Windows and Mac OSX initially. An open-source SDK will allow for developers to port support to other platforms.
Bionym, which was originally spun out of the University of Toronto (where Martin got his Ph.D.), claims it doesn’t have any “real direct competitors” for the specific functionality it’s offering.
“We don’t view this as just a product to unlock your devices, smartphones, etc. Those are security applications. We’re looking beyond that to smart environments. How do we enable hyper-personalised experience? These are all applications of identity. Security is one application but not the only one, and as far as I know nobody else is doing that,” says Martin.
There’s no doubt plenty of others are eyeing up the password-alternative space, though. Google is one and is part of the FIDO Alliance that’s seeking to come up with a new framework for digital authentication. Anyone who can crack the ‘passwords are broken’ problem with a robust, low-friction alternative is clearly in for a very lucrative ride.
Add to that, there’s potential for capturing extremely granular user data if users are required to wear a sensor at all times when accessing their gadgets and services. However Martin stresses that Nymi is building in privacy “by design,” as well as security — with a hardware-secure element where the user’s ECG data is cryptographically stored and which — crucially — other applications will require user permission to access.
“We have a cryptographic chip on the wristband,” he notes. “We’re not just depending on software, we have hardware-based cryptography there. It … allows that communication to be encrypted. It doesn’t just depend on just the Bluetooth standard which has some weaknesses.
“When it’s transmitting your identity… to your devices around you you don’t want anybody to know that it’s you unless you opt in, you don’t want to be tracked, you don’t want somebody, say, a Bluetooth scanner to know when you’re around so we encrypt that information so that it becomes opt in. Nobody can know that it’s you without your permission.”
Using hardware-based cryptography also allows the Nymi to bolster its defences against identity spoofing attacks. “If your identity is essentially a long binary string, can’t somebody just copy that and retransmit it? And the answer to that is we digitally sign all the data coming off the wristband so that it’s impossible for anybody to spoof that data and essentially steal your identity,” he adds.
So what will Nymi offer its early adopters? At launch, in the beginning of 2014, it will support built in device unlocking capabilities, and be supported by a range of third party apps, says Martin.
“We’re going to be working very closely with developers this fall,” he says. “We already have lots of developers signed up for that. So we’re going to be ourselves offering basic capabilities ourselves for unlocking personal devices and computers. And then at the same time we are engaged with several companies that make consumer electronic products… that’s going on behind the scenes. And then there are third party developers — and we’re going to be all about nurturing that to happen so that by the time we launch there will definitely be some high quality third party applications.”
Looking ahead, the grand vision is surely for a password-less future, based on authentication via wearable biometrics. That’s a ways off, right now though, as Martin concedes. ”The goal is not to simply manage passwords, the goal is to replace passwords,” he says. “That being said it obviously takes time for these things to be adopted in a ubiquitous way so we are looking at some intermediate solutions to integrate with password managers, things like that.
“Part of our launch right now is to see what are the kinds of integrations people want the most… We want to get people’s ideas for what the vision for this kind of a product is so we can focus on that.”
Most browsers will ask if you want your passwords saved so when you’re next jumping around the web, logging into sites is that bit easier. Of course, you’d like think those passwords are squirreled away where no one can dig them up, but in Chrome they’re pretty easy to find. As highlighted by software developer Elliott Kember recently, getting access to the list of saved passwords requires only that you point the browser at “chrome://settings/passwords” (or simply find the password management option in advanced settings) and click on one of the saved entries. A small “show” button will then appear next to the hidden password — hit that and it’ll be revealed.
Calling this a major security flaw, as some have, is obviously a tad sensationalistic. Nevertheless, recent attention has shown that making saved password access so simple is a concern for some. Several other browsers give users the option to protect that list with a master password, but Chrome does not — even if you sign out of the browser, data linked to your Google account remains visible on that computer. Justin Schuh, Chrome security tech lead, has responded to internet chatter on the topic, saying that once past the OS login stage, someone can theoretically find your passwords and all manner of other browser info out anyway, using various underhand means. His statement isn’t likely to calm those who’d like to see their passwords more secure, but perhaps the fact people are talking will force Google to consider some changes.
Update: This post has been edited with some additional context and commentary.
Most browsers will ask if you want your passwords saved so when you’re next jumping around the web, logging into sites is that much easier. Of course, you’d like think those passwords are squirreled away where no one can dig them up, but in Chrome it’s actually very easy to find them. As highlighted by software developer Elliott Kember, getting access to the list of saved passwords requires only that you point the browser at “chrome://settings/passwords” (or simply find the password management option in advanced settings) and click on one of the saved entries. A small “show” button will then appear next to the hidden password — hit that and it’ll be revealed. Justin Schuh, Chrome security tech lead, has responded to various comments on this, saying that once someone’s gotten past the OS login stage, they could theoretically find your passwords and all manner of other info out anyway, using various underhand means. No doubt the attention this is bound to receive will force an update from Google that actually hides users’ passwords. Until then, keep your laptop away from any malicious friends that, given half the chance, would wreak havoc to your Facebook account.
Zoho’s more commonly known around the interwebs for its document editing tools, but today the service is launching a product that’s a little more business-oriented than its Office suite. With the newly introduced Zoho Vault, the company’s hoping to give business owners a centralized repository where they can easily manage their passwords online — something slightly similar to what LastPass offers. Of course, security will likely be very important for potential customers, and Zoho says it’ll be able to keep a rigorous lockdown by implementing things such as Host-Proof Hosting, a measure which encrypts passwords at the browser and stores only encrypted data on the server. The Personal Edition of Zoho Vault is available now for free and can be accessed by one person, while the Enterprise Edition costs a mere $1 per month, offers an iPhone app and supports unlimited users.
Recently speaking at the Interop IT conference, PayPal’s chief information security officer, Michael Barrett, stated that passwords and PINs were operating on borrowed time. Barrett hopes to replace online security keys with a setup that’s a blend of software and hardware-based identification. He also serves as president of the Fast Identity Online Alliance (FIDO) — the organization’s focus is to combine an effective mix of software (passwords and plugins) and hardware (USB drives and fingerprint scanners) for user authentication.
PayPal’s technology boss didn’t allude to his company adopting these new types of security systems for its customers anytime soon. Instead he announced that FIDO-enabled devices will be hitting the market sometime this year. Progress, yes, but until this hardware becomes more widely available, it’s likely that you’ll be spending more time getting acquainted with two-step logins.
So you got caught with your pants down on the Internet (figuratively, folks) and contracted a virus. That sucks. Or maybe you were wearing protection but still fell victim to some nasty bit of code that managed to slip by your antivirus software undetected. That sucks even more. Either way, it’s nothing to feel ashamed about. The web is a dangerous place and even the most tech savvy users sometimes slip up. You can even get a virus through no fault of your own simply by visiting a reputable website that, unbeknownst to you, has been compromised by a hacker with malicious intent. The web is a war zone, and even if you’re not a target, you can still end up a casualty. More »
This is site is run by Sascha Endlicher, M.A., during ungodly late night hours. Wanna know more about him? Connect via Social Media by jumping to about.me/sascha.endlicher.
The Bible might not be quite the good book it claims to be. According to an 
